Share this story

A government office charged with defending civil liberties has declared that warrantless border searches of laptops do not raise civil liberties issues. The Office for Civil Rights and Civil Liberties at the Department of Homeland Security recently released an executive summary [PDF] of its findings, but it has refused to release the details of its analysis.

The Fourth Amendment protects Americans against unreasonable searches by domestic law enforcement, but the courts have long held that our Fourth Amendment protections are more limited when we travel internationally. Border agents can conduct random searches of passengers' luggage looking for contraband at the border. No warrant, or even reasonable suspicion of wrongdoing, is required.

The government has interpreted this rule as extending to data on electronic devices. If you travel with your laptop, the government can turn it on and rifle through your digital files. The American Civil Liberties Union has sued to stop this practice, arguing that the Fourth Amendment requires officers to have some reason to suspect a crime has been committed before snooping through travelers' personal data.

Some also contend that searching laptops without reasonable suspicion violates the First Amendment. The Civil Rights and Civil Liberties Office at the DHS, which is theoretically in charge of "promoting respect for civil rights and civil liberties in policy creation and implementation" within the organization, disagrees.

"Some critics argue that a heightened level of suspicion should be required before officers search laptop computers in order to avoid chilling First Amendment rights," writes Tamara Kessler, the report's author. "However, we conclude that the laptop border searches allowed under the ICE and CBP Directives do not violate travelers' First Amendment rights."

In an e-mailed statement, Catherine Crump of the ACLU told Ars Technica that Kessler's position "cannot be squared with our constitutional protections for free speech and against unreasonable searches, and it is difficult to understand how engaging in purely suspicionless searches actually advances legitimate law enforcement interest."

If you'd like to read the rest of Kessler's analysis of the First Amendment issue, you're out of luck. While DHS released an executive summary of Kessler's findings, it is keeping the full report under wraps.

That rubs the ACLU the wrong way. "Given the report's troubling conclusion that its agents are entitled to the sweeping power to examine Americans' private papers, it is important that the agency make the full and complete report available," Crump told us. "The public has a strong interest in understanding the arguments and evidence that supports the report's conclusion, not just in knowing the ultimate results."

On Friday, the ACLU filed a request for the full report using the Freedom of Information Act, but the long delays and contentious litigation that often accompany the FOIA process mean that it may be many months before the public sees exactly why the DHS's civil liberties shop thinks suspicionless laptop searches at the border are consistent with the Bill of Rights.

Kessler did recommend some limited steps to prevent abuse of the government's laptop-searching powers, and the report says that DHS is putting these measures into practice. The department currently allows travelers to file a complaint if they are the victim of racial discrimination. This process will be expanded to cover coercive searches and alleged violations of free speech rights.

The report also recommends more internal auditing of laptop searches in the hopes of ferreting out evidence of misconduct. Of course, such reports may not have much effect if, like Kessler's own report, they're kept safely locked away from public scrutiny.

The Department of Homeland Security did not respond to a phone call and e-mail seeking comment for this story.

I wonder, what about full disk encryption? Can they compell me to hand over the password for decryption?

That is exactly what I would say. "I'm sorry you can see it turns on and is a laptop, but you're going to need a warrant to look at my files. Since DHS runs most airport security what would stop them from extending this to regular travel? Obviously the one extension is that they are searching laptops on international travel.

This probably wouldn't work for a lot of people, but leave your laptop at work (or home) powered on, bring a chromebook or other cheap laptop or tablet and remote in to it. Then the data isn't stored on the laptop, and can't be searched.

So you can't see the report from the in-house privacy lapdog explaining why they can root through your stuff with impunity. That seems fair. I guess the public reading the thing would violate DHS' privacy or chill their free speech rights.

"But the DHS's Civil Rights and Civil Liberties Office, which is theoretically in charge of "promoting respect for civil rights and civil liberties in policy creation and implementation" at DHS, disagrees"

So, the fox-appointed fox in charge of protecting hens that works at the fox department rules in favor of the fox.

Sounds ridiculous. I guess next year they will want you to log into your email too so they can search through that? Ne'er-do-wells will upload to a remote server, while we have to get our photo albums and business documents scanned.

This probably wouldn't work for a lot of people, but leave your laptop at work (or home) powered on, bring a chromebook or other cheap laptop or tablet and remote in to it. Then the data isn't stored on the laptop, and can't be searched.

I bet that idea works.I never did that as I don't travel much and never outside of USA.I do remember years ago fooling with an App that allowed Remote Access and when I visited a friend in California ( i live in maine) I could do stuff on my home machine which I left powered on.

Also, full disk encryption question aside, what if the data on your laptop isn't all yours? In my case, I primarily use my laptop for work (programming for health care industry). It contains valuble and sensitive IP such as code, VPN and SSH access credentials. Arguably I shouldn't travel with it, but say I need to. I would be fired if I handed all that over to some yahoo in a blue uniforn.

So now you have to upload your sensitive files to a cloud service. Erase the cloud service app. Cross the border. Re-download sensitive files.

How silly.

Dropbox just got a subpoena for your files. Why did you want to create such a hassle for them? Just hand over all your stuff to the government like a good citizen.

With all the security vulnerabilities dropbox has had in the past, nobody competent would upload anything sensitive without encrypting it first.

It's really not that hard people. I used disk utility on my mac to create a file I can double click, it asks for the decryption password, and mounts a read/write disk image where all the files encrypted automatically. I'm sure such things exist for other platforms too.

I've recently had an "interesting" experience with these clowns. They decided to search my vehicle. And according to them it's protocol to cuff you to a chair while they do this as if you were a criminal. So they get to humiliate you for no reason at all and you don't get to see them searching your car. They don't do an inventory either, so if something breaks or goes missing you're out of luck.This is like the third time in about 20 years I've had my vehicle randomly searched. But the free humiliation bit is defenetley new and completely unwarranted. The agent kept telling me "you're not under arrest, but this is protocol"As if I gave a fuck if its protocol or not, it doesn't make a diffence to the person they do it to with no justification at all. So I guess that if its protocol we should just bend over and take it.

So they made me wait for like 15 minutes and then the guy came back and he uncuffed me and didn't even apologize.

There's "deniable encryption" if you want to encrypt files, but may have to divulge the decryption keys to the authorities. This is basically encrypted file containers with two passwords, one for the real files, and one for fake files. Then you can give law enforcement the fake password, and they'll get to decrypt the wrong set of files, with no way to prove or even suspect there is another set of files.

My wife's company has a simple policy for all international travel (including trips to Canada). Always assume that your laptop is going to be confiscated.

This wasn't put in place because of issues at the US border, but previous issues with certain other countries.

Here's the policy:1. All business data is backed up company servers and removed from the laptop before traveling.2. The data can be downloaded to the laptop after arriving at your destination.3. However, if the system is removed from your control, even for a moment, the system must be wiped and re-imaged before using downloading any business data to it.4. Get a receipt if the authorities hold the system so that so you can get a new one from IT.5. Tell Legal so they can sort it out.

What's it supposed to catch? Are they going to seize computer viruses before they are able to enter the country? I find it difficult to come up with a rationale for this, whereas it's quite easy to come up with a rationale for a physical search at the border. I wonder if the early precedents that provide legal cover actually talk about why physical searches are permissible, and if those reasons were written broadly enough to actually cover searches of digital content.

There's "deniable encryption" if you you want to avoid this. Basically encrypted file containers with two passwords, one for the real files, and one for fake files. Then you can give law enforcement the fake password, and they'll get to decrypt the wrong set of files, with no way to prove or even suspect there is another set of files.

Yep, Google "Truecrypt" if anyone's interested.

Also, with MicroSD cards so small, whats to stop anyone from copying 128gb into that, putting it in your shoe and walking about?

Only the low hanging fruit and innocents are going to get caught up in this while the real baddies have loads of alternatives.

So now you have to upload your sensitive files to a cloud service. Erase the cloud service app. Cross the border. Re-download sensitive files.

How silly.

Yeah. Sounds like a good point. However, all that implies, to me, is that the government done already thunk of it. Or, if not, now they will. Geesh.

OK but the concept works. Bitlocker-encrypt a microSD card and stick it somewhere you can plausibly deny ever having seen it before.

I don't keep any sensitive data on my laptop whatsoever. If I need something when I'm traveling, I remote into my home or office and view it that way. (Not because I'm hiding anything from the government. With the number of laptops that get lost and stolen every year, I just don't want to have to worry that some random data on my laptop is going to lead a crook into my online banking or whatever).

If Customs asked to see my laptop, I would be sorely pissed off, not because I'm hiding anything, but as an American citizen, it makes no sense that I have or don't have 4th Amendment rights depending on where I happen to be. It would be a struggle for me to keep my snarky mouth closed, but there's no risk of them finding anything because there's nothing on their to find. And if there were, see my first paragraph.

There are no doubt a bunch of workarounds that your more educated/sensible/paranoid/organised* person can and will use, but that's not really the point.

The point is that slowly but surely, the rights and freedoms we all expect and assume we have are being removed under the premise that digital data is a completely alien, new and threatening entity and a different kettle of fish than its analogue equivalent when in most cases it isn't. Privacy is going out the window, and the higher ups in government agencies are rubbing their hands in glee at the prospect of yet more of peoples everyday lives being available to them without having to get those pesky warrants or justify the intrusion.

I'm not from or in the US but we have exactly the same kind of crap happening here in the UK and it scares the hell out of me.

This is moronic. Do they expect to catch something importnat? Haha.If anyone wants to hide something all they need to do is use a free program like Truecrypt to create an invisible encrypted folder, put evrything they want to hide in it.

Noone just looking at the computer will find it if they dont know it exists. So what will the 5 min boot up and browse do expet waste time and abuse honest people?

Also, full disk encryption question aside, what if the data on your laptop isn't all yours? In my case, I primarily use my laptop for work (programming for health care industry). It contains valuble and sensitive IP such as code, VPN and SSH access credentials. Arguably I shouldn't travel with it, but say I need to. I would be fired if I handed all that over to some yahoo in a blue uniforn.

I work with federal and private legal cases, which often times involves juvenile records. I have security clearance for that information, the TSA most certainly doesn't. My drive is encrypted, and usualy does not have any sensitive information on it to be extra safe (I always use the encrypted VPN + remote desktop to the machine at work method), but *no one* gets the password to my machine without a court order, and even so, only someone with similar clearance will ever look at it, and only under my own supervision.

What's it supposed to catch? Are they going to seize computer viruses before they are able to enter the country? I find it difficult to come up with a rationale for this, whereas it's quite easy to come up with a rationale for a physical search at the border. I wonder if the early precedents that provide legal cover actually talk about why physical searches are permissible, and if those reasons were written broadly enough to actually cover searches of digital content.

It's stupid for many different reasons. The most obvious one being that bits and bytes travel from country to country at the speed of light with no restrictions.

Also, full disk encryption question aside, what if the data on your laptop isn't all yours? In my case, I primarily use my laptop for work (programming for health care industry). It contains valuble and sensitive IP such as code, VPN and SSH access credentials. Arguably I shouldn't travel with it, but say I need to. I would be fired if I handed all that over to some yahoo in a blue uniforn.

As I work in the IT dept for a large organization that does a lot of international travel. They have gone the VPN/remote desktop route and provide clean loaner laptops for those that travel outside of the US borders.

I wonder, what about full disk encryption? Can they compell me to hand over the password for decryption?

Only if they are willing to drag you to court, unless law has changed and even there prosecution will have hard time to do so, has you are not in obligation to incriminate yourself.

Basically they want to see what there they have to use forensic tool to force their way in.

The trouble is that it is the border, if you don't cooperate, prepare to be stuck on border for a long time, cannot imagine how much the corporate would panic, if it happened while travelling to a remote network location to deal with a situation.

Radelix wrote:

jhollinger wrote:

Also, full disk encryption question aside, what if the data on your laptop isn't all yours? In my case, I primarily use my laptop for work (programming for health care industry). It contains valuble and sensitive IP such as code, VPN and SSH access credentials. Arguably I shouldn't travel with it, but say I need to. I would be fired if I handed all that over to some yahoo in a blue uniforn.

As I work in the IT dept for a large organization that does a lot of international travel. They have gone the VPN/remote desktop route and provide clean loaner laptops for those that travel outside of the US borders.

That indeed the best, to not be bothered by the situation described in the article.

There's always the probable idea of leaving a home network up and either using dialup or another internet connection to gain access.Alternatively keep an encrypted usb or sd or micro sd to transport files, so as long as the destination already has a copy of the key to open those.It's been mentioned in previous ars articles that so as long as law enforcement has an idea of whats on the drives that they can, theoretically, compel you to release your password. Otherwise if they don't have an idea of whats on the device they can't, they can still copy the contents and use brute force or whichever other decryption method they have to unlock the data.

Me? If I were to cross the border, I'd probably backup my cell phone contents, wipe the data, and keep the numbers that I need. Come back and restore the contents.--On a side note, is there a potential problem with this leading to 5th amendment rights? (seems highly doubtful)And what about border concerns? where is the line drawn? in particular border crossings over a body of water. Would a judge be ceding territory if they rule where the citizen looses his or her rights at the crossing point or at the 'imaginary' border along the bridge? Or would the judgement actually be in favor of the citizen?

I wonder, what about full disk encryption? Can they compell me to hand over the password for decryption?

Probably. At the very least, I would venture that they can prevent you from entering the country until you 'lighten up'.

FREEDOM ISN'T FREE

IF you have wealth to defend yourself (vis a vis you carry a computer and fly in an airplane), I believe documented citizens have the right to come home. IANAL (but I watch actors play lawyers on high-def television).

Still, no matter how wealthy you are, there's always rubber-hose cryptanalysis, and (again, that airplaine) you're weaponless and they aren't.

Now this is the market for Chromebooks. Just keep everything in the cloud and when they search in your computer, it's empty. That or just spideroak everything. The app itself doesn't even save the username and it's encrypted cloud storage.

The Office of Civil Liberties operates under the DHS?! Well, then, in that case, it's an office, for sure, but it has _nothing_ to do with civil liberties. That'd be like saying that the Institution for Global Peace operates under the U.S. Army. Oh. Fucking. God. The REAL office for civil liberties is the ACLU.

Another point: why would they make their document confidential? The ONLY conclusion is that there is information in said document which, if disseminated, would be a significant threat to national security. Which amounts to saying that traveling across the border is a threat to national security. In which case, we need to stop all travel into and out of the country. Not that it matters much to me anyway.

And we wonder why more people want more guns, as all of our rights are slowly whittled away.

Oh please, the gun nuts mostly don't understand the stripping away of rights going on nor will they take to guns to defend them. Is the NRA going to file an amicus brief with the ACLU for this? Hell no. Gun nuts only care about 1 right- the right to bear arms. Don't piss on my leg and tell me its raining.